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Abstract Key predistribution schemes for distributed sensor networks have received significant 



■ attention in the recent literature. In this paper we propose a new construction method for these 

schemes based on combinations of duals of standard block designs. Our method is a broad 
spectrum one which works for any intersection threshold. By varying the initial designs, we 
can generate various schemes and this makes the method quite flexible. We also obtain explicit 
algebraic expressions for the metrics for local connectivity and resiliency. These schemes are 
quite efficient with regard to connectivity and resiliency and at the same time they allow a 
^> ' straightforward shared-key discovery. 



1 Introduction 

X 

H , 

Distributed sensor networks have been extensively studied in recent years due to their wide 
applicability in both civilian and military contexts. For instance, in a military operation, sensor 
nodes may be distributed in a random manner over a sensitive area and, once deployed, these 
nodes are required to communicate with each other in order to gather and relay information. 
This communication has to be done in a secret manner and so secure keys need to be established 
between the nodes in the system. For more details on the applications, the security framework 
and models for these distributed sensor networks (DSNs) we refer e.g., to Carmen et al. (2000), 
Roman et al. (2005) and Du et al. (2005). There are also interesting results pertaining to an 
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alternative situation where the location of sensor nodes can be determined prior to deployment, 
e.g., results by Younis et al. (2006), Martin et al., (2010), Blackburn et al. (2010), Martin et 
al. (2011), and others. In this paper we focus on the situation of random deployment of nodes. 

Several authors have recommended the use of key predistribution schemes (KPSs) in a DSN, 
where secret keys are installed in each sensor node before deployment. Eschenauer and Gligor 
(2002) pioneered a probabilistic approach to key predistribution and gave a scheme in which 
every node is assigned a randomly chosen subset of keys from a given pool of keys. Chan et 
al. (2003) generalized this basic scheme to the g-composite scheme, where two nodes can com- 
municate only if they share at least q common keys, where q is a prespecified integer called 
the intersection threshold. Camtepe and Yener (2004) first introduced the use of combinato- 
rial designs in KPSs, using finite projective planes and generalized quadrangles. The principal 
advantages of using deterministic key assignment schemes based on combinatorial designs com- 
pared to random key assignment is that, in the former approach, the problem of generating 
good pseudorandom numbers is avoided, and moreover, by exploiting the combinatorial struc- 
tures of the underlying designs, one can study the local connectivity and resiliency properties 
of the scheme easily, and also carry out shared-key discovery and path-key establishment in a 
structured manner. For more details on these advantages we refer to Lee and Stinson (2008) 
and Martin (2009). 

Many researchers appreciated the advantages of the above approach and continued to further 
develop this area. Lee and Stinson (2005a, 2005b) gave a construction based on transversal 
designs, Chakrabarti et al. (2006) followed this by proposing a merger of a random selection of 
blocks of a transversal design to form the nodes, Dong et al. (2008) used 3-designs, Ruj and 
Roy (2007) used partially balanced designs and Ruj et al. (2009) used balanced incomplete 
block designs in their construction. Lee and Stinson (2008) gave a comprehensive account of 
key assignment schemes based on combinatorial designs and studied all aspects of their schemes. 
They gave constructions for two classes of schemes, namely, a linear scheme with intersection 
threshold q = 1 and a quadratic scheme with q = 2, based on transversal designs. They studied 
these two classes of schemes separately and, for each of the two classes, they showed their 
scheme to be efficient with regard to the levels of connectivity and resiliency, while allowing 
simple shared- key discovery and path-key establishment. The numbers of nodes required in the 
network for these two classes of KPSs are of the form p 2 and p 3 , respectively, where p is a prime 
or prime power. 
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In this paper we propose a new method for constructing KPSs and then study the properties 
of the resulting schemes. Realizing a connection between the transversal designs used by Lee 
and Stinson (2008) in their construction for q = 1 and a particular type of partially balanced 
incomplete block designs, we consider the latter designs in their full generality and show that 
we can construct useful KPSs based on a suitable combination of partially balanced incomplete 
block designs. We propose one general construction method for any given intersection threshold 
q (> 1), and it will be seen that for the case q = 1, our construction covers the linear scheme of 
Lee and Stinson (2008). One advantage of our proposed method is that it works for all q(> 1), 
and by varying the choices of the designs, one can construct KPSs for networks with varying 
numbers of nodes, key-pool sizes and numbers of keys per node, thus providing more flexibility 
in choosing a scheme suitable for the requirements of a situation. For example, now the number 
of nodes need not be of the particular forms p 2 or p 3 , with p prime or prime power, as in Lee 
and Stinson (2008). These points will be elaborated on in Section 8. 

Another advantage of our method of construction is that it allows us to obtain unified and 
explicit algebraic expressions for the metrics for evaluating the connectivity and resiliency of 
these schemes, all for general values of q(> 1). Using these expressions, the metrics can be 
easily calculated from the parameters of the particular designs used in the construction. This 
may be contrasted with Lee and Stinson (2008), Ruj and Roy (2007) or Ruj et al. (2009), where 
evaluation of the metrics can involve explicit enumeration which may become cumbersome. 
We also show that our KPSs have good connectivity with high levels of resiliency and the 
combinatorial structure of the underlying designs make the shared-key discovery and path-key 
establishment phases particularly simple. 

In Section 2 of this paper we give some preliminaries on various metrics for evaluating 
a KPS, followed by some basics on block designs. Section 3 describes our proposed method 
for constructing a KPS. Next, in Sections 4 and 5 we obtain expressions for the connectivity 
and resiliency metrics for these schemes and give illustrative examples. In Section 6 we apply 
our method to constructions based on some specific block designs, together with numerical 
illustrations. In Section 7 we discuss how we can label the keys and nodes so that shared-key 
discovery and path-key establishment become simple. Finally in Section 8 we discuss the gains 
achieved via our method of construction. 
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2 Preliminaries 



2.1 Some metrics for evaluating KPSs 

Several authors have considered some standard metrics for evaluating the performance of key 
predistribution schemes for distributed sensor networks. We briefly describe these metrics here; 
a more comprehensive account can be found in Lee and Stinson (2008). 

Two basic metrics of a KPS are the network size or the number of nodes in the network and 
the key storage or the number of keys stored per node, usually denoted by n and k, respectively. 
A KPS should typically have large n, say 1000 or much higher and small k, say about 50, though 
some authors have used k up to 200. 

In a DSN the nodes are scattered over a physical area and, since nodes have limited power, 
each can send or receive signals only over a certain wireless communication range or neighborhood. 
Once the nodes are deployed, any two nodes which are within each other's neighborhood can 
securely communicate directly with each other if they have at least q common keys, where q(> 1) 
is a specified integer, the intersection threshold of the DSN. On the other hand, if two nodes 
in the same neighborhood do not have q common keys, then they can establish a connection 
through multiple secure links if there is a sequence of one or more intermediate nodes connecting 
them such that every pair of adjacent nodes in this sequence share q common keys. 

To study the local connectivity of the network, we adopt the metrics used in Lee and Stinson 
(2005b, 2008), and for this, we now introduce the relevant probabilities as defined by them. 
Define Pri to be the probability that two random nodes share at least q common keys. Thus 
given any two randomly chosen nodes within each other's neighborhood, Pri is the probability 
that these two nodes can establish secure direct communication with each other. Also, define 
Pr2 to be the probability that two nodes in the same neighborhood do not have q common keys 
but there is a third node within the intersection of their neighborhoods which shares q common 
keys with both of them, thus allowing these two nodes to communicate securely via this third 
node. So Pr2 is the probability that two randomly chosen nodes within the same neighborhood 
fail to establish direct communication but can communicate via a two-hop path. Hence, the sum 
Pr = Pri + Pr2 is a useful metric for studying the local connectivity of a KPS through either a 
secure direct link or a secure two-hop path. 

Now suppose in an attack on the network a number of sensor nodes are captured at random. 
Then it is assumed that all keys stored in these compromised nodes are revealed and so cannot 
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be used for communication any more. Consider any two uncompromised nodes, say A and A', 
which have at least q common keys. Then the direct communication link between A and A' 
fails if keys common to them occur in one or more of the compromised nodes; otherwise, the 
link remains secure. We want the sensor network to be resilient against such random node 
compromises. From this consideration, resiliency is measured by fail(s), which represents the 
conditional probability of the link between A and A' to fail when out of the remaining n — 2 
nodes, s randomly chosen ones are compromised, given that A and A' share at least q common 
keys. A smaller value of fail(s) implies a larger resiliency. 

Finally, in order to communicate, two nodes in the same neighborhood need to determine if 
they share q common keys; this is the shared-key discovery phase, and if they do not, then they 
try to establish a secure two-hop path for communication; this is the path-key establishment 
phase. The difficulties involved in these two phases are also used to assess the utility of a KPS. 

2.2 Some basics on block designs 

We present some basic definitions of block designs and related concepts which we will need in our 
constructions of KPSs. Illustrative examples are also given. For more details on these designs 
we refer to Street and Street (1987), Stinson (2003) and Dey (2010). 

Definition 2.1 A block design d* is an arrangement of a set of v* symbols into b* subsets, these 
subsets being called blocks. 

Example 2.1 The following is a block design d* with v* = 9, b* = 12. Denoting the symbols 
by 1, . . . , 9 and blocks by 1, ... , 12, we can write 



d* : 



Block 


Symbols 


Block 


Symbols 


Block 


Symbols 


Block 


Symbols 


1 


4,7,2 


4 


5,8,3 


7 


6,9,1 


10 


1,2,3 


2 


7,1,5 


5 


8,2,6 


8 


9,3,4 


11 


4,5,6 


3 


1,4,8 


6 


2,5,9 


9 


3,6,7 


12 


7,8,9 



□ 

Definition 2.2 If d* is a block design with v* symbols and b* blocks then its dual design, say 
d, is a block design obtained from d* by interchanging the roles of symbols and blocks, i.e., d is 
a block design involving b* symbols and v* blocks, such that the ith block of d contains the jth 
symbol if and only if the jth block of d* contains the ith symbol, 1 < i < v*, 1 < j < b*. 



5 



Example 2.2 The dual design d obtained from d* in Example 2.1 has 12 symbols, 1 ,12 

and 9 blocks denoted by Bi, . . . , Bg as follows: 

Block Symbol Block Symbol Block Symbol 
Bi 2,3,7,10 B 4 1,3,8,11 B 7 1,2,9,12 

d : 

B 2 1,5,6,10 B 5 2,4,6,11 B s 3,4,5,12 
B 3 4,8,9,10 B 6 5,7,9,11 B 9 6,7,8,12 

□ 

Definition 2.3 A balanced incomplete block (BIB) design is a block design d* satisfying the 
following conditions: (i) each symbol appears at most once in a block, (ii) each block has a fixed 
number of symbols, say k* , (Hi) each symbol appears in a fixed number of blocks, say r* , and 
(iv) every pair of distinct symbols appear together in A blocks. 

The integer A is called the concurrence parameter of the BIB design. It can be checked that the 
design in Example 2.1 is a BIB design with A = 1. 

Definition 2.4 A relationship defined on a set of symbols is called an association scheme with 
two associate classes if it satisfies the following conditions: (a) any two distinct symbols are 
called either 1st or 2nd associates of each other, any symbol being called the 0th associate of 
itself, (b) each symbol has 6j jth associates (j = 0, 1, 2), and (c) for every pair of symbols which 
are jth associates of each other, there are 0^ symbols that are uth associates of one and wth 
associates of the other (j, u, w = 0, 1, 2). 

The following relations are evident from Definition 2.4: 

#0 = 1, 00,0 = 00,2 = 02,0 = 00,0 = 01,0 = 00,1 = °> 00,1 = 01,0 = 00,2 = 02,0 = L (!) 

Various association schemes are available in the literature and for these we refer to Clatworthy 
(1973). Our construction and results are valid for any general association scheme but in our 
illustrations in Section 6, we use three of these association schemes, namely group divisible, 
triangular and Latin square type association schemes. These are defined below. 

Definition 2.5 Let there be af symbols, (a, f > 2), partitioned into a groups of f symbols each, 
and let the symbols in the ith group be denoted by il, i2, . . . , if, i = 1, . . . , a. A group divisible 
(GD) association scheme on these af symbols is defined as one where two distinct symbols are 
called 1st associates if they belong to the same group, and 2nd associates otherwise. 
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The above definition implies that for the GD association scheme, in addition to (1) we have 
Oi = f-l, e 2 = /(o-l),^ )1 = /-2, 4 2 = 4 1 = 0, 4 2 = /(a-l), ^ = 0, 0?, 2 = = 
f-1, 0| )2 = /(a-2). 

Example 2.3 Let a = 2, / = 3. Then the 6 symbols are partitioned into two groups as: 
{11,12,13}, {21,22,23}. Now, for the symbol 11, the 1st associates are 12,13 while its 2nd 
associates are 21,22,23. Similarly, the 1st and 2nd associates of other symbols may be written 
down and the parameters of the scheme can be obtained. □ 

Definition 2.6 Let there be (™) symbols, (m > 4), denoted by ordered pairs ij, 1 < i < j < m. 

A triangular association scheme on these symbols is defined as one where any two distinct 
symbols are called 1st associates if the ordered pairs representing these symbols have one element 
in common, and 2nd associates otherwise. 

The above definition implies that for the triangular association scheme, in addition to (1) we 
have 9 1 = 2(m - 2), 9 2 = ( m ~ 2 ), tj>{ A = m - 2, 4>{ 2 = 4,1 = m - 3, <f>\ 2 = ( m 2 3 ),4>l,i = 4, 4>l,2 = 
4 1 = 2m-8,^ 2 = r 2 - 4 )- 

Example 2.4 Let m = 5. The ( 2 ) (= 10) symbols are denoted by the ordered pairs: 12, 13, 14, 15, 
23, 24, 25, 34, 35, 45. Now, for the symbol 12, the 1st associates are 13, 14, 15, 23, 24, 25 while its 
2nd associates are 34, 35, 45. Similarly, the 1st and 2nd associates of other symbols may be 
written down and the parameters of the scheme obtained. □ 

Definition 2.7 Let there be p 2 symbols, p > 3, arranged in a p x p square S and suppose k — 2 
mutually orthogonal Latin squares of order p are available. A Latin square type association 
scheme on these p 2 symbols is defined as one where any two distinct symbols are called 2nd 
associates if they occur in the same row or same column of S or if, after superimposing each of 
the Latin squares on S, they occur in positions occupied by the same letter in any of the Latin 
squares. Otherwise, they are called 1st associates. 

The above definition implies that for the Latin square type association scheme, in addition to 
(1) we have l = ( p -l)( p -k + l), 9 2 = fc(p-l), 4>\i = (p- k)(p- k- 1) +p- 2, <f>\ 2 = <f>\ 1 = 
k{p - k), 4>\ 2 = k(k - l), <ft A = ( P - k)( P -k + l), 4>i, 2 = = (k - l)(p -k + l), 4>\ 2 = 
[k- l)(fe-2)+p-2. 



7 



Example 2.5 Let p = 4 and k = 3. We denote the 4 2 (= 16) symbols by the ordered pairs: 
11, 12, 13, 14, 21, 22, ... , 43, 44 and write S and the single Latin square C as 



11 12 13 14 

21 22 23 24 

31 32 33 34 

41 42 43 44 



C = 



A B C D 

B C D A 

C D A B 

D A B C. 



Then it follows that for the symbol 11, the 2nd associates are 12,13,14,21,31,41,24,33,42, 
while its 1st associates are 22, 23, 32, 34, 43, 44. Similarly, the 1st and 2nd associates of other 
symbols may be written down and the parameters of the scheme obtained. □ 

Definition 2.8 Given an association scheme with two associate classes on a set of v* symbols, 
a partially balanced incomplete block (PBIB) design based on this association scheme is a block 
design d* with v* symbols and b* blocks satisfying the following conditions: (i) each symbol 
appears at most once in a block, (ii) each block has a fixed number of symbols, say k* , (Hi) each 
symbol appears in a fixed number of blocks, say r* , and (iv) every pair of symbols which are jth 
associates of each other appear together in Xj blocks (j = 1,2). 

The integers Ai and A2 are the two concurrence parameters of the PBIB design, where Ai / A2. 

Example 2.6 We can construct a PBIB design d* based on the GD association scheme by 
pairing each of the af symbols with its second associates to form the blocks. Thus, such a 
design can be constructed for every integer a, /(> 2). It is easy to see that this design will have 
v * = a f, b* = (%)f 2 , k* = 2, r* = (a - 1)/ and Ai = 0, A 2 = 1. For example, a PBIB design 
based on the GD association scheme in Example 2.3 can be constructed by pairing each of the 
6 symbols with its second associates to get 9 blocks as follows: 





Block 


Symbol 


Block 


Symbol 


Block Symbol 


d* : 


1 


11,21 


4 


12,21 


7 13,21 


2 


11,22 


5 


12,22 


8 13,22 




3 


11,23 


6 


12,23 


9 13,23 


Clearly, this GD desif 


m has v* 


= 6, b* = 


= 9, k* = 


2, r* = 3, Ai = 0, A 2 = 1 



□ 



Example 2.7 We can construct a PBIB design d* based on the triangular association scheme 
by pairing each of the (™) symbols with its second associates to get the blocks. Thus, such a 



design can be constructed for every m > 4. It is easy to see that this design will have v* = (™) , 
b* = 3(7), k* = 2, r* = ( m ~ 2 ), and Ai = 0, A 2 = 1. For example, a PBIB design based on the 
triangular association scheme in Example 2.4 has 10 symbols arranged in 15 blocks given by: 
(12, 34), (12, 35), (12, 45), (13, 24), (13, 25), (13, 45), etc. □ 

For a given positive integer t(> 1), we now consider t block designs d\, . . . , d% such that each 
d* is a PBIB design based on an association scheme with two associate classes and concurrence 
parameters Ai = 0, A2 = 1, the common occurrence number of every symbol in d* (i = 1, . . . ,t) 
being at least t. For 1 < i < t, consider the dual di of d* and denote the symbols of di by 
. . . , Vi(i), and blocks by B\{i), . . . , B^.(i). Then from Definitions 2.2 and 2.8, it is evident 
that each such di, involving Vi symbols and b, L blocks, satisfies the following conditions: 

(I) every symbol occurs at most once in each block of di, 

(II) every symbol occurs in a fixed number of blocks, say rj (2 < r« < 6j), of di, 

(III) every block of di contains a fixed number of symbols, say ki (vi > h>t), and 

(IV) there is an association scheme with two associate classes on the set of blocks of di; any 
two distinct blocks either have no common symbol, in which case they are called 1st associates 
of each other; or they have exactly one symbol in common, in which case they are called 2nd 
associates of each other; every block being its own 0th associate. 

For 1 < i < t, let 9j(i) denote the number of jth associates of any block of di, and given any 
two blocks which are jth associates of each other, let 4 > i,w{^) denote the number of blocks of di 
which are nth associates of one and u>th associates of the other (j,u,w = 0, 1,2). Then clearly, 
for each design di the relations corresponding to (1) hold, and moreover, 



6 (i) = 1, 0i (i) + 9 2 (i) = bi-l and 0i (i) > 0, 6 2 (i) > (1 < i < t). 



(2) 



Example 2.8 Let d\ be the PBIB design given in Example 2.6. Then, the dual of d\ is given 
by a design d\ with 6 symbols arranged in 9 blocks. Denoting these symbols as 1(1), . . . ,9(1) 
and the blocks as -Bi(l), • • • ,Bq{1) as described above, the design d\ has blocks given by: 



Block Symbols 
di: Bi(l) 1(1), 2(1), 3(1) 
B 2 (l) 4(1), 5(1), 6(1) 

Clearly, d\ satisfies conditions (I)- (III) above with v\ 



Block Symbols 
B 3 (l) 7(1), 8(1), 9(1) 
£ 4 (1) 1(1),4(1),7(1) 



Block Symbols 
B 5 (l) 2(1), 5(1), 8(1) 
B 6 (l) 3(1), 6(1), 9(1) 



9, 61 = 6, n = 2, h 



3. Also, 
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condition (IV) is satisfied; we have the following association structure: 



Block 


1st associates 


2nd associates 


Bi{l) 


B 2 {1),B 3 (1) 


B 4 (1),B 5 (1),B 6 (1) 


B 2 (l) 


B 1 (1), J B 3 (1) 


B 4 (1),B 5 (1),56(1) 




Bi(l),B 2 (l) 


B 4 (1),B 5 (1),B6(1) 


^4(1) 


B 5 (1),B 6 (1) 


Bi(l),S 2 (l),B 3 (l) 




B 4 (1),B 6 (1) 


S 1 (1),S 2 (1),B 3 (1) 


B 6 (l) 


B4(1),B 5 (1) 


Bi(l),B 2 (l),B 3 (l) 



So, in addition to the relations in (1), we have #i(l) = 2, #2(1) = 3, </>i ;1 (l) = 1, ^12(1) = 
^i(l) = 0, 02, 2 (1) = 3, ^(1) = 0, 0?, 2 (1) = ^(1) = 2, 01, 2 (1) = 0. □ 

In the above development, we can as well take any d* to be a BIB design with A = 1, each 
symbol appearing at least t times in the design. Then by Definitions 2.2 and 2.3, its dual design 
di will again satisfy the conditions (I)-(IV), but with 9\{i) = 0. This is because in this case, 
any two blocks of di will always have exactly one symbol in common and so by (IV), any two 
distinct blocks of di can only be second associates, there being no 1st associates for any block. 
Thus, conditions (1) and (2) are valid, keeping in mind that now in (2), 9\(i) = and in (1), 
the quantities (f>\ w (i) do not arise, while <f>u, w (^) = an d ( t > \, w {^) = whenever u = 1 or w = 1. 

Example 2.9 Let d\ be the BIB design in Example 2.1. Then, the dual of d\ is the design 
in Example 2.2, denoted by d 2 , say. Clearly, d 2 satisfies conditions (I)-(III) with v 2 = 12, 62 = 
9, r 2 = 3, k 2 = 4. Also, condition (IV) is satisfied with no block in d 2 having any other block as 
its 1st associate, all distinct blocks being 2nd associates of each other. Thus, in addition to the 
relations in (1), we have 6>i(2) = 0, 2 (2) = 8, 4>\i{2) = 4>\ 2 {2) = <f% fl (2) = 0, 4>\ 2 {2) = 7. □ 

In view of the above discussion, define two sets Q and Q as 

Q = {i : l < i < t, 0x(i) > 0} and Q = {i : 1 < i < t, 6i(i) = 0}. (3) 
Clearly, i E Q if d* is a PBIB design and i G Q if d* is a BIB design as indicated above. 

3 Construction of KPS 

Suppose the intersection threshold of the required KPS is stipulated as q. We consider t = q 
block designs d*,l < i < t, where each d* is either a PBIB design with Ai = 0, A2 = 1 or a 
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BIB design with A = 1; every symbol appearing at least t times in each design. As before, for 
1 < i < t, let di be the dual of design d*, so di satisfies conditions (I)-(IV) listed in Subsection 2.2. 
A KPS with q = t, based on the designs d\, . . . ,dt is constructed as follows. 

First identify the symbols in d±, . . . , dt as the keys of the KPS. Next, consider all possible 
selections of one block from each di, 1 < i < t, and take the union of the t blocks in each 
such selection as a node of the KPS. Thus the resulting KPS has v = Ya=i v i keys given by the 
symbols . . . , Vi(i), (1 < i < t) and n = n* =1 6j nodes given by 

N{a 1 ...a t ) = B ai (l)U---UB at (t), 1 < a { < h, l<i<t. (4) 

By condition (III) in Subsection 2.2, every node has k = Ya=i h keys. Note that n is multiplica- 
tive in the bi while k is additive in the hi, 1 < i < t. As illustrated later, this helps in attaining 
the twin objectives of having a large number of nodes in the network while keeping the number 
of keys stored per node relatively small. 

Remark 3.1 One of the two constructions in Lee and Stinson (2008), namely, the one with 
q = 1, is covered by (4). This fact will be elucidated in more detail in Remarks 4.3 and 5.3. □ 

For 1 < i < t, it is clear from (4) that the block B ai (i) is the contribution of the design di 
to the node N(a\ . . . a t ). From this perspective, we introduce the following definition. 

Definition 3.1 When nodes are constructed as in (4), the block of di that appears in any node 
A is called the projection of the node A on the design di and is denoted by proj(A,i). 

Thus from (4), B ai (i) is the projection of the node N(a\ . . . at) on di. We now define an 
association scheme on the set of nodes as given by (4). This will play a crucial role in exploring 
the properties of the KPSs obtained through (4). Here each associate relationship is represented 
by a t-tuple of the form j\ . . . jt- 

Definition 3.2 Two distinct nodes A and A' are ji . . . jtth associates of each other if, for 1 < 
i < t, proj(A,i) and proj(A' ,i) are jith associates of each other. 

We illustrate the above ideas with a small toy example below. 

Example 3.1 Toy Example: Let q = 2. So, by the above method, we take t = 2 and construct 
a KPS with q = 2 based on two designs, d\ and d%- Let us take d\ as the PBIB design given 
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in Example 2.6 and d\ as the BIB design in Example 2.1. Their respective duals d\ and d,2 are 
given in Examples 2.8 and 2.2. The KPS constructed by the above method has n = &1&2 = 54 
nodes with k = k\ + ki = 7 keys per node. Using (4), we get the key assignments in the nodes, 
for example, two typical nodes are: 

N(l, 1) = Bi(l) U Bi(2) = 1(1), 2(1), 3(1), 2(2), 3(2), 7(2), 10(2), and 

7V(3, 4) = S 3 (l) U S 4 (2) = 7(1), 8(1), 9(1), 1(2), 3(2), 8(2), 11(2). 
Then, by Definition 3.1, the blocks Bi(l) and £?i(2) are the projections of the node iV(l, 1) on 
the designs d\ and cfe, respectively, i.e., proj(N(l, 1), 1) = B\(l) and proj(N(l, 1),2) = #i(2). 
Similarly, proj(N(3, 4), 1) = B 3 (l) and proj (N(3, 4), 2) = S 4 (2). Now, from Examples 2.8 and 
2.9, we see that Bi(l) and £3(1) are 1st associates while i?i(2) and £4(2) are 2nd associates. 
So, by Definition 3.2 we say that nodes N(l, 1) and iV(3, 4) are 12th associates of each other. □ 

In Definition 3.2, j\...jt 7^ . . . 0, since the nodes A and A' are distinct. Also, by (3), 
ji = 0, 1 or 2 if i G Q an d ji = or 2 if z € Q. Thus the set of all possible associate relationships 
between two distinct nodes in the KPS is given by 

I = {ji...jf.ji...jt^0... 0; ji = 0, 1 or 2 if i e Q and ji = or 2 if i G Q}. (5) 

We now obtain expressions for certain parameters of the association scheme on the set of 
nodes, as given by Definition 3.2. For j\ . . .j t £ I, let rij 1 ___j t denote the number of j\ . . . j t th 
associates of any node A. Then by Definition 3.2, rij 1 _„j t equals the product, over 1 < i < t, of 
the number of jjth associates of proj(A,i). Therefore, 

t 

n h-h = Yl e j i i i )- (6) 

i=i 

Again, given any two nodes which are jtth associates of each other, let P^i'.'.Mt wi...w t denote 
the number of nodes that are u\ . . . utth associates of one node and w\ . . . u>tth associates of the 
other, where j\ ■ ■ ■ jt,u\ . . . u t and w\ . . .Wt £ I- Then as in (6), 

t 

= \{^SS)- (7) 

i=i 

Let \j 1 ...j t denote the number of common keys between any two distinct nodes A and A' 
which are j\ . . . jtth associates of each other, j\ . . . jt G I- Then from Definition 3.2 it follows 
that 

V.* = I>*« ( 8 ) 
i=i 
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where ipj i (i) is the number of symbols (or equivalently, keys) common to proj(A, i) and proj(A' , i) 
when they are jjth associates of each other. By condition (IV) of Subsection 2.2 and the fact 
that each block of d{ is the Oth associate of itself, it is evident that 



We illustrate these concepts by continuing with the toy example in Example 3.1. 

Example 3.2 Toy Example continued: Since d\ is a PBIB and d 2 a BIB design, by (5), the set of 
all possible associate relationships between any two nodes in the KPS is / = {02, 10, 12, 20, 22}. 
Now, Examples 2.8 and 2.9 show that 0i(l) = 2, 2 (1) = 3 and 2 (2) = 8. Recalling from (1) 
that #o(l) = #o(2) = 1, by (6) it follows that the number of 02th associates of any node in the 
KPS is uq2 = 1x8 = 8. Similarly, mo = 2, ni2 = 16, mo = 3, n22 = 24. Now, using the 
values of <^\ )U)1 (1) and <^ 2 2jW2 (2) from Examples 2.8 and 2.9 and remembering (1), it follows 
from (7) that pl\ w = 0oi(l)^|o( 2 ) = 1x1 = 1= p\l fi2 , and similarly, p x 2 \ 20 = p x 2 \ 22 = 3x1 = 



3) ^22,22 — 3 X 7 — 21, p 2,12 — Pl2,02 — 1 X 7 — 7, Pio,l2 — Pl2,10 — 1 X 1 — 1, P\ 2 \ 2 — 1 X 7 — 7, 



while every other p]f lU2 WlW2 equals zero. 

Again, by (9), ip {l) = 3, Vo(2) = 4, ^i(l) = 0, Y> 2 (1) = ^(2) = 1, and so it follows from 
(8) that the number of symbols common between any two nodes which are 02th associates of 
each other is A02 = 3 + 1 = 4. Similarly, A10 = 4, A12 = 1, A20 = 5, A22 = 2. Hence, since q = 2, 
all pairs of nodes, other than those which are 12th associates of each other, can communicate 
directly with one another. □ 

4 Local connectivity 

In this section we explore the local connectivity of the KPS introduced in (4). Theorem 4.1 is 
the main result in this section and it gives an expression for the metric Pr for this scheme, in 
terms of the parameters of the constituent designs. Some notation and two lemmas are needed 
in order to present the theorem. Let 



where / is given by (5). So, any two nodes which are j\ . . . jjth associates of each other can 
communicate directly only if j\ . . . j t G A. Let A be the complement of A in / and let J2a> 
and J2i stand for sums over ji . . . jt £ A, j\ . . . j t € A and j± . . . j t G /, respectively. 



ipo(i) = h, ipi(i) = 0, ip2{i) = 1, l<i<t. 



(9) 



A = {ji ■ ■ ■ jt •■ jl ■ ■ ■ jt G A ;: ... ; . > q}, 



(10) 
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Given two distinct nodes which are j\ . . . j t Xh associates of each other, let t l j 1 ...j t denote the 
number of nodes sharing at least q(= t) common keys with both of them. Also, for any two 
distinct nodes A and A' in each other's neighborhood, let the intersection of their neighborhoods 
contain rj nodes excluding A and A' themselves. Define 

Pn-n = 1 " ( n! 2) , h ■ ■ ■ Jt e A. (11) 

Lemma 4.1 Any j± . . . jt (G /) is a member of A if and only if either 
(a) ji = for at least one i, or (b) ji = • • • = jt = 2. 

Proof of Lemma 4.1 Follows from (8), (9) and (10), noting that k{ >t for each i by condition 
(III) of Subsection 2.2. □ 

Lemma 4.2 Given two distinct nodes which are j\ . . . jtth associates of each other, if ji . . . jt € 
A, then fJ-j 1 ...j t =J2J2 P , ui'.'.M t ,w 1 ...w t > ^ e double sum being over u\ . . . ut £ A and w± . . .wt G A. 

Proof of Lemma 4.2 Follows from (10), on recalling the definition of pti'.'.M t ,w l ...w t - a 

Theorem 4.1 The probability that two distinct randomly chosen nodes A and A' in each other's 
neighborhood can establish communication, either directly or via a two-hop path, equals 
Pr = Pri + Pr2, where 

Pn = EAnil - if , (12) 
n — 1 



and 

^=E^,.,.«i:^f[i-(i-^f)l. 

A A 



Proof of Theorem 4.1 Let C be the event that the nodes A and A' can establish commu- 
nication either directly or via a two-hop path. Define E(ji . . . j t ) as the event that A and A 1 
are j\ . . .jtth. associates of each other. Since the events E{j\ . . .j t ), j\ ...jt G I, are mutually 
exclusive and exhaustive, we can write 

Pr = P(C) = ]T P{E(ji ■ ..jtftPiClEfo . ..j t )}, (14) 

where P{C\E(ji . . .jt)} is, as usual, the conditional probability of C, given E(ji . . .j t ). Now, 
for each j\ . . .jt G I, recalling that there are nj 1 ...j t nodes which are j\ . . .jtth. associates of any 
given node, it follows that 

r{'-Xi.....in} 1 "]!!;- r ^r- (is) 
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Moreover, if j\ . . . j t G A, then by (10), A and A' have at least t common keys and hence can 
establish direct communication, implying 

P{C\E{h . . . j t )} = 1, for h . . . j t e A. (16) 

On the other hand, if j\ ...jt £ A, then they have less than t common keys. In this case, direct 
communication between A and A' is not possible but they can establish communication via a 
two-hop path provided the intersection of their neighborhoods contains one of the fJ>j lm ..j t nodes 
sharing at least t common keys with both of them. Hence, using (11), it is clear that 

P{C\E{ji ■ -.jt)} = P n .., t , for^ ...j t € A. (17) 
Substitution of (15), (16) and (17) in (14) establishes the theorem. □ 

Remark 4.1 The approximation used in (13) is quite accurate when the quantities n — 2 — 
fjtjx . j t are large relative to 77, which is typically the case. Note also that the expression for Pr2 
in (13) is a refinement of that used in Lee and Stinson (2008) for q = 2. To see this, first note 
from (12) that 

J2a n ji...jt _ n — 1 — J2a n h-it p ri ng\ 

n — 1 n — 1 

because J2i n ji---j t = n — 1. Next, write /i* = minl^...^ : j± . . . j t G A} and from (11) observe 
that fij 1 ...j t > (3* for every j\ ...j t eA, where j3* is defined as in (11) with Hj 1 ...j t replaced by 
fi* . As a result, from (13) and (18), we get 



1-11-^ 

n — 



(19) 



Pr 2 > ]T H^Ap* = (i _ Pri)/ r « (1 - Pri ) [1 - f] 

A U 1 V 

For their quadratic scheme, Lee and Stinson (2008) took Pr 2 as the counterpart of the lower 

bound in (19) for their setup. Instead, we work here with the more direct expression given in 

(13), and in addition, this is valid for all q > 1. □ 

Remark 4.2 Lee and Stinson (2008) remarked that it is difficult to find an algebraic expression 
of fi* for their quadratic KPS, and therefore, studied Pr 2 through design specific numerical 
evaluation of [i* . An advantage of our method is that for all q(> 1), even when one starts with 
arbitrary designs, Theorem 4.1 gives readily applicable algebraic expressions for both Pri and 
Pr 2 for our schemes in terms of the design parameters. Equations (2), (6), (7), and Lemmas 
4.1 and 4.2 can be used in finding the rij 1 ___j t and ^j 1 ...j t: and hence one can find Pri and Pr 2 
explicitly in specific situations. The following examples serve to illustrate this point for the cases 
q = 1 and q = 2. □ 
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Example 4.1 Case: q = 1. We take t = 1 and construct a KPS as in (4) with d\ either (a) a 
PBIB or (b) a BIB design. 

(a) If d\ is a PBIB design with Ai = 0, A2 = 1, then its dual design d\ has 0i(l) > 0. Then 
n = b 1 and by (3), (5) and Lemma 4.1, Q = {1}, I = {1,2}, A = {2} and A = {1}. Also, from 
(6) and (7), n\ = #i(l), n2 = 6*2(1) and p<j>,2 = 02,2(1)- So by Lemma 4.2, [i\ = p\ 2 = 02,2(1)- 
Hence (12) and (13) yield 



02(1) _ A D _ 9,(1) , /, 4 2 (1) X?? 



Pri = and Pr2 



6i-2 



(20) 



61-I * 61-I 

(b) If d\ is a BIB design with A = 1, then its dual d x has 6»i(l) = 0, 2 (1) = 61 - 1. Then n = h 

61-1 
61-1 



and by (3), (5) and Lemma 4.1, Q = {1}, / = {2} = A. So by (12), Pri = j^f = 1 always. □ 



Remark 4.3 As mentioned in the Remark 3.1, the construction in Lee and Stinson (2008) with 
q = 1 is covered by (4). To see this in detail, we first note that in their construction, the nodes 
are taken as the blocks of a transversal design (cf. Stinson (2003)), with kp symbols and p 2 
blocks, such that (a) the set of symbols is partitioned into k groups each of cardinality p, (b) 
each group contributes one symbol to each block, and (c) any two symbols from different groups 
occur together in exactly one block. 

Recalling Definitions 2.7 and 2.8 it can now be checked that such a transversal design is 
actually the dual of a PBIB design based on a Latin square type association scheme with 
v* = p 2 , b* = kp, r* = k,k* = p, and Ai = 0, A2 = 1. Hence one can verify that their construction 
can equivalently be described via our construction in (4) with t = 1 and d\ chosen as this PBIB 
design. Then its dual d\ is their transversal design involving v\ = kp symbols and b\ = p 2 
blocks, such that conditions (I)— (IV) of Subsection 2.2 hold with r\ = p, k\ = k, #1(1) = 
(p - \)(p + 1 - k), 6» 2 (1) = k(p - 1), 4>\ 2 (1) = k(k - 1). Hence we can apply (20) to get 



k ( k 

Pri = and Pr2 



, , , Hk-i) Y 

' p 2 -2 



P + i V p + i, 

These exactly match the expressions for Pri and Pr2 in Subsection 4.1.1 of Lee and Stinson 
(2008). We will see in Remark 5.3 that their expression for fail(s) also follow from our corre- 
sponding expressions. □ 

Example 4.2 Case: q = 2. Toy example: We continue with the KPS considered in Exam- 
ples 3.1 and 3.2. From the Aj 1J2 values in Example 3.2, it follows that A = {02, 10,20,22} and 
so, using the nj 1 j 2 values obtained there, (12) gives Pri = (8 + 2 + 3 + 24)/53 = 0.6981. To 
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obtain Pr2, we see that A = {12}, and so, remembering the values of p}? iU2tWlW2 , u±u 2 , w±w 2 € A, 
obtained in Example 3.2, it follows from Lemma 4.2 that n\ 2 = 1 + 1 + 3 + 3 + 21 = 29. Hence, 
from (13), Pr2 = -g|[l — (1 — 29/52)''] and for varying values of rj we have 



V 


1 


2 


3 


4 


5 


10 


15 


20 


Pri + Pr 2 


0.8665 


0.9409 


0.9739 


0.9884 


0.9949 


0.9999 


1.0000 


1.0000 



□ 

Example 4.3 General Case, q = 2: (a) PBIB and BIB design: Suppose we construct a KPS 
as in (4) based on two designs d\ and d 2 given by a PBIB design with Ai = 0, A2 = 1 and 
a BIB design with A = 1, respectively. Hence their duals d\ and d 2 have 0i(l) > and 
9i (2) = 0. Then n = b x b 2 and by (3), (5) and Lemma 4.1, we have Q = {1}, Q = {2}, / = 
{02,10,12,20,22}, A = {02, 10, 20, 22} and A = {12}. Also, by (2) and (6), n 02 = 6*2(2), mo = 
0i(l), nia = 0i(l)0 2 (2), n 20 = 2 (l)andn 22 = 2 (1)0 2 (2). So from (12), on using (2), we have 

Pri = — ^-{0 2 (2) + 0i(l) + 02(l) + d 2 (l)9 2 (2)}, 

1 



= T-7 Ah + b 2 -2 + 02(1)^2(2)}. 

0\0 2 — 1 

Next by (7) and Lemma 4.2, 



(21) 



= EE EE^ (l)</\i 2 ,u, 2 (2) 

= 4,o(l)4, 2 (2) + 4,i(l)4,o(2) + 4, 2 (l)4,o(2) + 4, 2 (1)4, 2 (2) 

+^,o(l)^o,2(2) + <Ai,i(l)<o(2) + ^,2(l)^o,o(2) + ^1,2(1)^0,2(2) 

+4,o(l)4, 2 (2) + 4,i(l)4,o(2) + ^2,2(1)^0,0(2) + 42(1)<2(2) 

+4,o(l)^,2(2) + 4,i(l)4,o(2) + 4, 2 (l)4,o(2) + 4,2(1)4,2(2)- 
Hence invoking (1) for the association schemes underlying the designs d\ and d 2 , we get 

fi 12 = 2 + 24,(1) + 24,(1) + 4,2(1)4,2(2)- (22) 



Since A = {12} and n 12 = 0i(l)0 2 (2), (13) now yields 



Pr 2 



'i(l)g 2 (2) 
&1&2 - 1 



1-1- 



M12 



6162 - 2 



with ^12 as given in (22). 



(23) 
□ 
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Example 4.4 General Case q = 2: (b) Both PBIB designs: Now suppose we construct a 
KPS as in (4) based on two PBIB designs, each with Ai = and A2 = 1, resulting in 9\(l) 
and #i(2) both positive. Then n = 6162 and by (3), (5) and Lemma 4.1, Q = {1,2},/ = 
{01, 02, 10, 11, 12, 20, 21, 22}, A = {01, 02, 10, 20, 22} and A = {11, 12, 21}. Hence proceeding as 
in Example 4.3, one can check that 

Pri = ,, 1 161+62-2 + ^(1)^(2)}, 

°1°2 — 1 

nn = 0i(l)0i(2), nia = 0i(l)0 2 (2), n 21 = 2 (l)0i(2) 

Mil = 2 + 4 2 (l)4 2 (2), Mi2 = 2 + 2^ j2 (l) + 2^ i2 (l) + 4 2 (l)^ )2 (2), 

M21 = 2 + 2^ >2 (2) + 2^ 2 (2) + 4 2 (l)4 2 (2). 

Pr 2 can be readily obtained using these expressions for the rij 1 j 2 and fJ>j 1 j 2 , J1J2 £ A, in (13). □ 

5 Resiliency 

We now study the resiliency of the KPS as given by (4) and for this we recall the notion of fail(s) 
introduced in Subsection 2.1. Theorem 5.1 below gives an algebraic expression for fail(s) and it 
is the main result of this section. Some notation and a lemma are needed in order to present 
the theorem. 

Let A and A' be two distinct nodes which have at least t common keys, i.e., by (10), they 
are j\ . . .jtth associates of each other, for some j\ ■ ■ ■ jt € A. Then by Lemma 4.1, the set 
Q = {i '■ 1 < i < t, ji = or 2} is nonempty. For i £ fi, let Sj { (i) equal 1 or rj according as 
ji = or 2, respectively. Consider now any nonempty subset r of CI. Then for i € T, as noted in 
(9), proj(A, i) and proj(A', 1) are identical if ji = 0, while proj(A, i) and proj(A', i) have exactly 
one common key if ji = 2. Define H(A, A'; F) as the collection of nodes A", such that for every 
i £ T, proj(A",i) is different from proj(A,i)[= proj(A' whenever ji = 0, and proj(A" ,i) 
does not include the single key common to proj(A,i) and proj(A',i) whenever ji = 2. 

Lemma 5.1 With reference to any two distinct nodes A and A' which are j\ . . .jtth associates 
of each other, where j\ ...j ( eA, the cardinality of H(A, A';T) defined as above is given by 

*(r)= (lJ>-<^)}) (ilM- 

Wr / \i<£r J 
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Proof of Lemma 5.1 In view of the definition of the 5j i (i), this is evident from (4) on recalling 
that every symbol occurs in j-j blocks of d{ by condition (II) of Subsection 2.2. □ 

Theorem 5.1 Let ij 1 ...j t = n* =1 ^ Ji (i), where 

e (t) = i-(i-6r 1 ) a . aw = i, 6(*) = i-(i-^r 1 )'. i<*<*- 

T/ien /or s < min(fci, . . . ,kt), 



,n-2) J2A n ji-jt 

Proof of Theorem 5.1 Consider two distinct nodes A and A' . Let D denote the event that 
they have at least q(= t) common keys and F denote the event that the link between them fails 
when out of the remaining n — 2 nodes, s randomly chosen ones are compromised. Then 

fail(s) = P(F\D) = P{F n D)/P(D). (24) 

As in the proof of Theorem 4.1, let E(j\ . . . j t ) denote the event that A and A' are j\ . . ■ jtth. 
associates of each other. Then by (10) and (15), 

P(D) = £ P{E( 31 ...j t )}= " J ■ (25) 

Similarly, 

P(FDD) = J2 P {FDE(j 1 ...j t )} 
A 

= ^P{E(j 1 ...j t )}P{F\E(j 1 ...j t )} 
A 

= E^M- p {F\E(h...j t )}. (26) 
A 

In order to find an expression for the conditional probability in (26), take any fixed ji ■ ■ ■ jt € 
A, and condition on the event that A and A' are j\ . . . j'^th associates of each other. Then as 
noted in the context of Lemma 5.1, the set O = {i : 1 < i < t, ji = or 2} is nonempty. By (9), 
proj(A,i) and proj(A',i) have one or more common keys if and only if i G Q. For any such i, 
let Gi denote the event that not all of the key(s) common to proj(A,i) and proj(A',i) occur in 
one or more of the s randomly chosen nodes that are compromised. Then for the fixed j\ ■ ■ ■ jt 
under consideration, by the usual union intersection formula, 

P{F\E{j x . ..j t )} = 1 - P{U ten Gi} = 1 + £ (-l)l r lp(n, er Gi), (27) 

rcn 
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where the sum on the extreme right is over all nonempty subsets r of Q, and |T| denotes the 
cardinality of V. Note that the right side of (27) depends on j\ . . .j t through Q. 

For any fixed nonempty subset T of Vl, we now find the probability P(r\ e r Gi) appearing in 
(27). Denote the s randomly chosen nodes that are compromised by A\ , . . . , A*. Fix any i £ T, 
so that ji = or 2. First suppose ji = 0. Then proj(A,i) and proj(A' ,i) are identical, and Gi 
happens if and only if, for each 1 < I < s, proj(A*,i) is different from proj(A,i)[= proj(A' ,i)]. 
The only if part of this claim is obvious. The if part follows because any two distinct blocks 
of di intersect in at most one symbol or key (vide condition (IV) of Subsection 2.2) and s < 
min(fci, . . . , kt). Next, let ji = 2. Then proj(A,i) and proj(A',i) have exactly one common 
key and Gi happens if and only if, for each 1 < I < s, proj(A*,i) does not include this single 
common key. Recalling the definition of H(A, A'; V), it is now clear that flj G r Gi happens if and 
only if each of A*, ...,A* belongs to H (A, A'; T). So, as n = Ili=i h, by Lemma 5.1, we get 

( a(r) ) / a(T) 
P(n ter Gi) = * " ' - ' 



("; 2 ) Vn-2 
n \ s fa(T)^ s 



n — 2 J V n 



» \ S tt/. <)j{i) 



Since ^(i) = 1 for ji = 1, i.e., for i £ ft, and 



n(i-^p)- ^) 

ier 



.-(.-***) -wo. 

for ji = or 2, i.e., for i E ft, substitution of (28) in (27) yields 

n V ( 1 TT ( i 



p{F\E( jl ... jt ) } „ i+ ( » (-i) |ri n f 1 



rcn ier 

n 



bi 



n-2 



ten 

M^) +(^) n&w 



n \ s / n xs * 



=i 



If we now substitute (29) in (26) and then substitute (25) and (26) in (24) the result follows. □ 

Remark 5.1 The approximation in (28) and hence that in Theorem 5.1 is in the spirit of Lee 
and Stinson (2008). It is quite accurate when n and <r(r) are large and s is relatively small, 
which is typically the case. □ 
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Remark 5.2 The condition s < min(/ci, . . . , kt) in Theorem 5.1 is not severe because typically 
s is not large. Moreover, it can be checked that for the case q = t = 1, Theorem 5.1 remains 
valid even without this condition. □ 



Examples 4.1 and 4.3 are now revisited with a view to illustrating Theorem 5.1. Example 4.4 
can also be treated in the same way as Example 4.3 and so is not shown here. 

Example 5.1 Example 4.1 (continued). Here t = 1, n = b\ and, irrespective of whether d\ is 
a PBIB design with Ai = 0, A2 = 1, or a BIB design with A = 1, we have A = {2}. Hence 
Theorem 5.1 yields 

M(.) » 1 - (-IL Y + (-IL Y 6( i) = , _ ( 30) 

□ 



n-2 \n-2 



Remark 5.3 As a continuation of Remarks 3.1 and 4.3, we now see that the fail(s) values of 
the linear scheme constructed in Lee and Stinson (2008) also follow from Thoerem 5.1. Since 
their scheme has 61 = p 2 and r\ = p, on substituting these in our expression (30) we get 

fail(s)asl _gz|y. 

This matches the expression for fail(s) in their Subsection 4.1.1. □ 

Example 5.2 Example 4.3 (continued). Here t = 2, 6>i(l) > 0, 6\(2) = 0, n = b\b 2 and 
A = {02, 10, 20, 22}. As noted earlier, 

n 2 = e 2 {2), n 10 = 0i(l), n 20 = 2 (1), n 22 = 2 (1)0 2 (2). (31) 

Also, 

e 02 = {l-a-fer'nu-a-^n, 

do = l-a-^- 1 ) 5 , 

60 = {l-a-r^rHi-a-^n, 

e 22 = {l-a-r^rui-a-rA- 1 ) 5 }. (32) 

One can now readily apply Theorem 5.1 to find fail(s). □ 
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6 Applications 

As mentioned earlier, our method of construction, based on (4) and applicable to any q(> 1), 
can yield KPSs for widely diverse values of the underlying parameters such as the number of 
nodes n, the number of keys per node k and the key pool size v, thus enabling the practitioner 
to find a suitable KPS depending on the requirements of a given situation. This flexibility arises 
because of the freedom in choosing the PBIB or BIB designs d\,. . . ,d% that one starts with 
while applying (4). Furthermore, the analytical results in the last two sections can be applied 
to ensure that the resulting KPSs behave nicely with regard to local connectivity and resiliency, 
as measured by Pr and fail(s). 

In order to give a flavor of the points noted above without making the presentation too long, 
we now focus on the case q = 2 and in the next three subsections present three applications where 
d\ is a PBIB design based on the (a) GD, (b) triangular and (c) Latin square type association 
schemes, and d\ is a BIB design; note that these correspond to the setup of Example 4.3. The 
parameter values of the resulting KPSs, obtained via (a), (b) and (c) are seen to be 

(a) n = af(2g + 1), k = (a — l)f + g, v = (f) f 2 + ^{2g + l)g, where a, /(> 2) are any integers 
and g(> 3) satisfies g = or 1 (mod 3), 

(b) n = (™)(2g + l), k = ( m ~ 2 ) +g,v = 3(™) + \(2g + \)g, where m(> 4) is any integer and 
g is as in (a), 

(c) n = p 2 (2g + 1), k = k + g, v = kp + \ {2g + l)g, where p(> 3) and k{< p+ 1) are integers 
such that k — 2 mutually orthogonal Latin squares of order p exist, and g is as in (a). 

Thus these three applications alone are capable of producing KPSs for a wide range of parameter 
values. Moreover, Theorems 4.1 and 5.1 allow us to explore the properties of these KPSs and 
the examples in the next three subsections show that they can behave quite well with respect 
to Pr and fail(s). Indeed, our construction in (4), coupled with these theorems, can easily allow 
numerous other choices of d\ and d\ as well, and hence paves the way for obtaining KPSs with 
an even more versatile range of parameter values, while ensuring attractive values for Pr and 
fail(s). In contrast, the existing methods of construction are almost invariably design specific, 
i.e., they employ only BIB designs or only transversal designs and so on, and as a result, it is 
very difficult for these methods to achieve parameter values as diverse as what is achieved, for 
instance, in (a)-(c) above. In addition, the existing methods are not always informative about 
the properties of the resulting KPSs with regard to local connectivity or resiliency. We will 
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return to this comparison in more detail in the concluding section. 



6.1 Use of a PBIB design based on the group divisible association scheme 
and a BIB design 

Suppose the design d\ in Example 4.3 is a PBIB design based on the group divisible association 
scheme as in Example 2.6, with v\ = af, b\ = (j)/ 2 , K = 2, r* = (a — 1)/, Ai = 0, A 2 = 1. As 
seen there, such a d\ exists for all integers a, /(> 2). Also, let the d\ in Example 4.3 be a BIB 
design with v\ = 2g + 1, b\ = \(2g + \)g, fc 2 = 3, r\ = g, A = 1. Such a BIB design corresponds 
to the Steiner's triple system and it is well known (cf. Kirkman (1847)) that it exists for every 
integer g(> 3) satisfying g = or 1 (mod 3). Note that the BIB design in Example 2.1 belongs 
to this class with g = 4. 

In our construction (4), now take t = 2, with d\ and d 2 chosen as the dual designs of d* and 
d%, respectively. Then recalling Definition 2.2, the parameters of di are 

vi = Qf, h = af, n = 2, h = (a - l)f, 
6,(1) = f - 1, 2 (1) = (a - 1)/,#, 2 (1) = 0, 4 2 (1) = (a - 1)/, (33) 

and the parameters of d 2 are 

«2 = !(2# + 1)5, fo 2 = 2^ + 1, r 2 = 3, fc 2 = 5, 

01 (2) = 0, 2 (2) = 2 5 , 0l ;2 (2) = 2 5 - 1. (34) 

The KPS obtained from di and d 2 via (4) has v = v\ + v 2 = (g)/ 2 + §(2# + 1)5 keys and 
n = t>i&2 = o,f(2g + 1) nodes, there being k = k± + fc 2 = (a — 1)/ + g keys in every node. For 
this KPS, substitution of (33) and (34) in (22) yields [i\2 = 2 + (a — \)f(2g + 1) and hence from 
(21) and (23) we get 

af + 2g - 1 + 2(a - l)fg 



Pr 



Pr 2 ~ 2 (/"^ 



af(2g + l)-l 

M12 



of (2<? + 1) - 1 



1-1 



of (2<? + 1) - 2 



Similarly, substitution of (33) and (34) in (31) and (32) yields 



n 02 = 2g, n w = f - 1, n 20 = (a - 1)/, n 22 = 2(a - l)/#, 



a// J I V 2g + l 
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In our construction (4), take t = 2, with d\ and <i 2 chosen as the dual designs of d\ and <i 2 , 
respectively. Then recalling Definition 2.2, the parameters of d\ are 

«i=3(7), 6i = (T), n=2, fci = r 2 - 2 ) 5 
Oi(l) = 2(m - 2), 2 (1) = ( m - 2 ), # >2 (1) = m - 3, <^ 2 (1) = ( m f), (35) 

while the parameters of d 2 are as in (34). The KPS obtained from d\ and d 2 via (4) has 
v = 3(™) + \(2g + 1)5 keys and n = (™)(2g + 1) nodes, there being k = ( m ~ 2 ) + g keys in every 
node. For this KPS, substitution of (34) and (35) in (22) yields (x 12 = 2(m - 2) + ("7 3 )(2g + 1) 
and hence from (21) and (23) 

m(m - 1) + 4g - 2 + 2(m - 2)(m - 3)g 



Pri 
Pr 2 



m(m - l)(2g + 1) - 2 



8(m - 2) 5 



1 



1 



2// 



12 



m(m - l)(2p + 1) - 2 
Similarly, substitution of (34) and (35) in (31) and (32) yields 

m — 2 



m(m - l)(2g + 1) - 4 



no2 



2g, n 10 = 2(m - 2), n 20 



1 



C02 — 

60 = 1- 

60 = (l 

C22 = 



1 



2 


m(m - 


-1) 

s 


2<7 + l) 

4 




m(m - 
4 


-1) 


m(m - 


-1) 



n 22 = (m - 2)(m - 3)y, 
3 
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1 
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Theorem 5.1 can now be employed to find fail(s). Again, on varying m and g we can get KPSs 
for a variety of parameter values. Two illustrative examples follow. 



Example 6.3 Let m = 9 and g = 27. The resulting KPS has v = 873, n = 1980, k = 48 and 
the values of Pri, Pr 2 , Pr = Pri + Pr 2 and fail(s) are as: 



V 


1 


2 


3 


4 


5 


10 


15 


20 


Pri 


0.6180 


0.6180 


0.6180 


0.6180 


0.6180 


0.6180 


0.6180 


0.6180 


Pr 2 


0.1620 


0.2553 


0.3091 


0.3400 


0.3578 


0.3805 


0.3819 


0.3820 


Pr 


0.7800 


0.8733 


0.9271 


0.9580 


0.9758 


0.9985 


0.9999 


1.0000 


s 


1 


2 


3 


4 


5 


6 


8 


10 


fail(s) 


0.0021 


0.0094 


0.0210 


0.0362 


0.0544 


0.0750 


0.1216 


0.1728 
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Example 6.4 Let m = 8 and g = 31. The resulting KPS has u = 861, n = 1764, k = 46 and 
the values of Pri, Pr2, Pr = Pri + Pr2 and fail(s) are as: 



1] 


i 
i 


o 
z 


Q 


A 

4 





i n 


1 

10 


9n 
zu 


p rl 


0.5780 


0.5780 


0.5780 


0.5780 


0.5780 


0.5780 


0.5780 


0.5780 


Pr 2 


0.1538 


0.2515 


0.3136 


0.3531 


0.3782 


0.4175 


0.4215 


0.4220 


Pr 


0.7318 


0.8295 


0.8916 


0.9311 


0.9562 


0.9955 


0.9995 


1.0000 


s 


1 


2 


3 


4 


5 


6 


8 


10 


fail(s) 


0.0023 


0.0103 


0.0230 


0.0396 


0.0593 


0.0815 


0.1312 


0.1853 



□ 



6.3 Use of a PBIB design based on the Latin square type association scheme 
and a BIB design 

Now suppose the design d* in Example 4.3 is a PBIB design based on the Latin square type 
association scheme and having parameters v\ = p 2 , b* = kp, k* = p, r\ = k, X\ = 0, X 2 = 1. 
Such a design exists when p(> 3) and k(< p + 1) are such that k — 2 mutually orthogonal Latin 
squares of order p are available, cf. Definition 2.7. Hence following Definition 2.2, its dual design 
d\ has parameters 



Vl = kp, b 1=P 2 , n =p, k l = k, 0i(l) = (p-l)(p + l-A;), 9 2 (l) = k( P -l), 
< 2 (l) = fc(p-fc),4 2 (l) = fc(fc-l). 



(36) 



We continue with d 2 as in the last two subsections and (34) continues to hold for d 2 - In our 
construction (4), now take t = 2, with d\ and d 2 chosen as above. 

Clearly, the KPS obtained from d\ and d 2 via (4) has v = kp + \(2g + l)g keys and n = 
p 2 (2g + 1) nodes, there being k = k + g keys in every node. For this KPS, substitution of (34) 
and (36) in (22) yields m 2 = 2 + 2k(p - k) + k(k - l)(2g + 1) and hence from (21) and (23) we 
get 

p 2 + 2g - 1 + 2k{p - l)g 



Pn 
Pr 2 



p 2 (2 5 + l)-l 

2(p-l)(p+l-fc) g 
p 2 (2<7 + l)-l 



1 



1 



M12 



p 2 (2 ff + l)-2 



7 '1 



Similarly, substitution of (34) and (36) in (31) and (32) yields 

n 2 = 2g, n w = (p - l)(p + 1 - k), n 20 = k(p - 1), n 2 2 = 2k(p - l)g, 
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Theorem 5.1 can now be easily used to find fail(s). Again, KPSs for a variety of parameter values 
can be obtained by varying the values of p, k and g. Two illustrative examples follow. 

Example 6.5 Let p = 17, k = 12, g = 28. Then the resulting KPS has v = 736, n = 
16473, k = 40 and the values of Pri, Pr2, Pr = Pri + Pr2 and fail(s) are as: 



V 



10 



15 



20 



Pri 0.6736 0.6736 0.6736 0.6736 0.6736 0.6736 0.6736 0.6736 
Pr 2 0.1515 0.2327 0.2762 0.2995 0.3120 0.3258 0.3264 0.3264 
Pr 0.8251 0.9063 0.9498 0.9731 0.9856 0.9994 1.0000 1.0000 



1 



6 



10 



fail(s) 0.0030 0.0115 0.0244 0.0410 0.0606 0.0826 0.1320 0.1857 



□ 



Example 6.6 Now let p = 19, k = 13, g = 28. Then the resulting KPS has v = 779, 
n = 20577, k = 41 and the values of Pri, Pr2, Pr = Pri + Pr 2 and fail(s) are as: 



V 



1 



10 



15 



20 



Pri 0.6571 0.6571 0.6571 0.6571 0.6571 0.6571 0.6571 0.6571 
Pr 2 0.1508 0.2353 0.2826 0.3091 0.3240 0.3419 0.3428 0.3429 
Pr 0.8079 0.8924 0.9397 0.9662 0.9811 0.9990 0.9999 1.0000 



10 



fail(s) 0.0028 0.0104 0.0221 0.0372 0.0551 0.0753 0.1209 0.1710 



□ 



7 Shared key discovery 

A major advantage of our construction in (4) is that it makes the task of discovering the keys 
shared by any two nodes of the resulting KPS quite straightforward. This happens because of 
the following reasons: 

(a) Consider any two distinct nodes A and A'. From (4) and Definition 3.1 it is clear that 
proj(A,i) and proj(A' do not have any common symbol whenever i 7^ i' . Hence, the set 
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of keys (symbols) common to A and A' equals the union of the sets of symbols common to 
proj(A,i) and proj(A' the union being over alH, 1 < i < t. As a result, in order to discover 
the keys shared by A and A', it suffices to find the set of symbols common to proj(A,i) and 
proj(A' separately for each i, 1 < i < t. This is much simpler than comparing the entire sets 
of keys in A and A' . 

(b) Turning now to the identification of the set of symbols common to proj(A,i) and 
proj(A',i) for any i, from Definition 3.1 we see that this set is nothing but the set of sym- 
bols common to two blocks of di. Therefore, in view of the duality between di and the design d* 
that we originally started with, this set is simply the set of blocks labels where the correspond- 
ing two symbols of d* occur together. Thus identification of this set becomes particularly easy 
if the symbols and blocks in d* can be properly labeled so as to obtain algebraically a listing 
of the symbols appearing in each block of <i*. Since the d* considered here are PBIB or BIB 
designs, such labeling is possible under wide generality. For instance, the commonly used cyclic 
constructions of these designs, based on one or more initial sets, readily allow such labeling. 
This kind of labeling is also possible for the constructions described in Examples 2.6 and 2.7. 

Indeed in construction (4), each d* can potentially be any PBIB design with Ai = 0, A2 = 1 
or any BIB design with A = 1. Because of such diversity, it is unrealistic in the limited space 
of this paper to attempt to give an account of the labeling of blocks and symbols, mentioned in 
(b) above, encompassing all possibilities for d*, i = 1, . . . , t. For illustration, therefore, we now 
revisit the setup of Subsection 6.1 in some detail; those of Subsections 6.2 and 6.3 are briefly 
touched upon later. 

Recall that in Subsection 6.1, d* is a group divisible PBIB design constructed as in Exam- 
ple 2.6. Also d\ is a BIB design belonging to the Steiner's triple system, and as seen below, 
it is generated via a cyclic construction. The parameters of these designs are as described in 
Subsection 6.1. The facts noted below in (A) and (B) for these two designs will be useful. 

(A) Labels for symbols and blocks of d\: Denote the af symbols of d\ by ordered pairs /?7, 
where /?7 is the 7th symbol of the /3th group; 1 < f3 < a and 1 < 7 < /. Then as indicated 
in Example 2.6, its Q)/ 2 blocks are {(3^,(35}, and let these be labeled as (3(3^/5, say, where 
I < (3 < (3 < a and 7, <5 G {1,2,...,/}. Thus, any two distinct symbols /?7 and (35 occur 
together in some block if and only if (3 / f3, and if this happens then the unique block where 
they occur together has label (3/3^5 if (3 < f3 or f3f35j if (3 < (3. Let the label for this block be 
identified as Li(/3j,f38). 
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Similarly, the (a — 1)/ blocks where any symbol j3j occurs have labels (i) /3/3jS , where 
(3 < (3 < a and 6 G {1, 2, . . . , /}, and (ii) (3(35j where 1 < < j3 and S G {1, 2, . . . , /}. Let 
Vi(/?7) be the collection of these (a — 1)/ block labels. □ 

(B) Labels for symbols and blocks of d\- Let g = 1 mod 3 in d%, i.e., g = 3h + 1 for some 
integer h(> 1). So (#■> involves 6h + 3 symbols and (2h + l)(3/i + 1) blocks. Denote these symbols 
of d 2 by Cu where ( e {0,1,..., 2h}, u = 0, 1, 2. Then, the blocks of d 2 can be represented and 
labeled as 

{{y + z)x, {z ~ y)x, Zx+i} = xyz, say, and {z , z u z 2 } = 0z, say, 

where x, y and z range over {0, 1, 2}, {1, . . . , h} and {0, 1, . . . , 2h}, respectively, and the subscript 
x + 1 is reduced modulo 3, while y + z and z — y are reduced modulo 2h + 1. There is a unique 
block where two distinct symbols £« and <£ w , (C> u ) 7^ (C w )i occur together and let the label for 
this block be identified as L 2 (( u , ( w ). 

Since y ranges over {1, . . . , h}, the following are not hard to observe: 

(a) Let u = w and ( / (. Then L2(( u ,(u) = uyz, where z = (( + Q/2 mod 2h + 1 and 
y = (C — C)/2 or (C — Q/2 mod 2h + 1, depending on whether (£ — C)/2 mod 2h + 1 belongs to 
{l,...,/i} or {/i + 1, . . . , 2h}. 

(b) Let u ^ w and C = C- Then L2(Cu, Cw) = 0(". 

(c) Let w and C 7^ C- Then ^(Cn^Cw) = where = (it, C) or ( W )C)) depending on 
whether w = u+loru = w + l mod 3 and y = C — C or C — C mod 2h+l, depending on whether 
C - C mod 2h + l belongs to {1, . . . , h} or {h + 1, . . . , 2h}. 

Similarly, the g(= 3h + 1) blocks where any symbol Cu occurs are labeled as (i) uyz, where 
y G {1, . . . , h} and z = (±y mod 2h+l, (ii) (u — l)y(, where y G {1, . . . , h} and u — 1 is reduced 
mod 3, and (iii) 0£. Let V2(Cu) be the collection of these 3h + 1 block labels. □ 

Returning to the setup of Subsection 6.1, consider now the KPS constructed as in (4), 
with t = 2 and d\ and d 2 chosen as the dual designs of d* and d%, respectively, where d\ and 
^2 are as detailed in the facts (A) and (B) above. As seen in Subsection 6.1, this KPS has 
v = (tyf 2 + \{2g + l)g = Qf 2 + (2h + l)(3h + 1) keys and n = af(6h + 3) nodes. Since d x 
and d 2 are obtained by interchanging the roles of symbols and blocks in d\ and dJj, respectively, 
it is clear from (4) that the v keys correspond to the block labels of d\ and d 2 , while the n 
nodes correspond to ordered pairs whose first member is a symbol of d* and second member is 
a symbol of d\. 

Thus, using the facts in (A) and (B), the v keys can be denoted by /3/?7<5, xyz and Oz, where 
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1 < (3 < (3 < a and 7, 5 € {1,2,..., /}, while x, y and z range over {0, 1, 2}, {l,...,h} and 
{0, 1, . . . ,2h}, respectively. Similarly, the n nodes can be labeled as (f3j,( u ), where 1 < j3 < 
a, 1 < 7 < /, and u and C range over {0, 1, 2} and {0, 1, ... , 2h}, respectively. Then clearly, the 
keys appearing in any node (/?7,Cu) are given by the labels of the blocks of d\ containing the 
symbol ^7 and the labels of the blocks of d 2 containing the symbol Q u . Hence, as discussed in 
the beginning of this section, the keys shared by two distinct nodes {P"f,( u ), an d 05, ( w ) are 
given by the labels of the blocks of d\ containing both ^7 and (35 and the labels of the blocks of 
d 2 containing both ( u and ( w , i.e., using the facts noted in (A) and (B), these shared keys are 
as described below: 

(i) the keys in Vi((3j) and key L 2 (( u ,( w ), if £7 = (35 and ((,u) / ((,w); 

(ii) the keys in V 2 {( u ), if (3 = (3, 7 ^ 5 and ((,u) = ((,w); 

(hi) the key L\(j3^,(35) and the keys in V 2 (( u ), ^ P P an d (Ci u ) = (Ci w )'i 

(iv) the key L 2 (( u , Cw) if P = P, 7 + 5, and (C, u) / ((, w); 

(v) the keys L^JS) and L 2 (( u ,( w ) if p + $ and ((,u) + ((,w) 

Thus the keys shared by any two distinct nodes can be found readily from the node labels. 
Consider any two nodes A and A' in each other's neighborhood and by our construction as 
described above, suppose they are assigned labels (Pj,Cu) and 05, Cw), respectively. In the 
shared-key discovery phase, node A only broadcasts the four values P,J,( and u. Once node A' 
receives these four values, it simply checks them against the corresponding four values in its own 
label, decides on one of the five cases in (i)-(v) above and accordingly, it immediately identifies 
its common keys with A. Thus there is no need to solve any equations nor any complicated 
computations are involved. Path-key establishment is also similarly straightforward. 

For further illustration, we revisit the second example of Subsection 6.1, where a = 2, / = 23 
and g = 22. Then, as discussed above, the keys of the resulting KPS can be denoted by 
127(5, xyz and Oz, where 7, 5 € {1,2,..., 23}, while x, y and z range over {0, 1, 2}, {1, . . . , 7} 
and {0, 1, ... , 14}, respectively. Similarly, the nodes of this KPS can be labeled as (^7, ( u ) where 
/3 = 1 or 2, 1<7< 23, and u and ( range over {0, 1, 2} and {0, 1,. . . , 14}, respectively. From 
(i) above, the keys shared, for example, by the nodes (16, 4o) and (16, 60) are 1265, 1 < 5 < 23, 
which constitute 14(16), and L2(4o,6o) = 015. Similarly, from (v) above, the nodes (22, 5i) and 
(13,6 2 ) share the keys L x (22, 13) = 1232 and L 2 (5i,6 2 ) = 116. 

The other applications considered in Section 6 allow equally simple discovery of shared keys. 
The symbols and blocks of the triangular PBIB design in Subsection 6.2 can be represented along 



30 



the lines of (A) above. Also, following Lee and Stinson (2008), the blocks of d\ in Subsection 6.3 
can be so labeled that one can readily identify the common symbol, if any, between two given 
blocks. Furthermore, if g = mod 3 for the BIB design d%, then one can represent its symbols 
and blocks in a manner similar to (B) above. These representations readily yield the counterparts 
of V\, V2, Li and L2 for these designs. As a result, for constructions involving these designs, 
keys shared by any two distinct nodes can again be found easily from the node labels. 

8 Comparison of our method with some existing ones 

In this paper, we have given a general method for construction of KPSs using duals d\,. . . ,dt 
of PBIB or BIB designs. The most important features of our method can be summarized as 
follows: 

(i) It is applicable to any prespecified intersection threshold q > 1. 

(ii) It allows the construction of KPSs for a wide spectrum of parameter values, namely, the 
number of nodes n, the number of keys per node k and the key pool size v, thus enabling the 
user to find a suitable KPS in a given context. 

(hi) It ensures that n is multiplicative in the numbers of blocks of d± , . . . , dt while k is additive 
in the block sizes of these designs. This allows a large n and, at the same time, keeps k in check, 
(iv) It comes along with explicit formulae for the local connectivity and resiliency metrics as 
given by Pr and fail(s). It also keeps the tasks of shared key discovery and path key establishment 
simple. 

As seen earlier, for instance, in the beginning of Section 6 and in Remarks 4.1, 4.2, because 
of (i)-(iv) above, our method has several advantages compared to the existing ones. We now 
indicate these advantages in some more detail. 

First note that in contrast to (i), the existing methods based on combinatorial designs are 
typically meant for specific values of q, such as q = 1 in Camtepe and Yener (2004, 2007), Lee 
and Stinson (2005a), Chakrabarty et al. (2006), Dong et al. (2008), Ruj and Roy (2007) and 
Ruj et al. (2009), or separately for q = 1 and q = 2 in Lee and Stinson (2008). 

Next, as a consequence of (ii), our method allows us to obtain KPSs for networks where the 
number of nodes n need not be of any specialized form, such as the forms p(p — l)/2 or p(p — 1) 
as in Ruj and Roy (2007), or the forms p 2 (for q = 1) or p 3 (for q = 2), p a prime/prime power, 
as in Lee and Stinson (2008). Furthermore, because of (iii) and (iv), this can be achieved with 



31 



a control on the number of keys k per node, while assuring good values of the performance 
metrics. To understand why this is important, let q = 2 and suppose we start with a scheme 
of Lee and Stinson (2008) with n equal to the lowest prime power of the form p 3 that exceeds 
the target number of nodes. If we then discard the unnecessary node allocations to get the final 
scheme for use, this final scheme will not preserve the Pr and fail(s) values of the original scheme 
and hence the properties of the final scheme in this regard can become quite erratic. This is 
because, these performance metrics of the original scheme depend on the pattern of the keys 
allocated to the different nodes, this allocation having been done by exploiting the structure 
of some combinatorial design, and once a large number of the allocated nodes are discarded, 
the underlying combinatorial structure is disrupted, leading to a scheme with uncertain local 
connectivity and resiliency properties. 

For illustration, suppose it is desired to obtain a KPS with about 16500 nodes. Then our 
Example 6.5 gives a scheme with 16473 nodes with demonstrated good values of the performance 
metrics. The closest higher prime power of the form p 3 is 27 3 = 19683. If we start with the 
scheme of Lee and Stinson (2008) with allocation for 19683 nodes, we will have to delete the 
allocation for about (19683-16500=)3183 nodes constituting 16.17% of the original 19683 nodes. 
After such large scale deletion, the Pr and fail(s) values of the final scheme very much depend on 
the particular nodes deleted and hence become quite arbitrary. Similarly, if about 20500 nodes 
are needed, then our Example 6.6 gives a scheme with 20577 nodes and assured properties 
while the nearest scheme of Lee and Stinson (2008) with 29 3 = 24389 nodes entails a deletion 
of about 3889, i.e., 15.95%, of the nodes, leading to unpredictable performance. In either of 
these situations, the constructions in Ruj and Roy (2007), with n = p(p — l)/2 or p(p — 1) and 
k = 2(p — 2), can bring n close to the target but at the cost of prohibitively large (i.e., 250 or 
even larger) values of k. In contrast, the schemes in our Examples 6.5 and 6.6 involve only 40 
and 41 keys per node. The additive nature of k in our construction, as mentioned in (iii) above, 
helps in achieving this. 

Finally, as noted in (iv), our method comes along with explicit and readily applicable for- 
mulae for Pr = Pri + Pr2 and fail(s), and also keeps the tasks of shared key discovery and path 
key establishment simple. Not all of these aspects have been explored in many of the existing 
constructions of KPSs via combinatorial designs, and even when this is done, analytical results 
on Pr and fail(s) are not always available. For example, Dong et al. (2008) studied only Pri 
and fail(l) for their scheme. Again, as seen in Remark 4.2, the quantity Pr2 in the Lee and 



32 



Stinson (2008) scheme for q = 2 does not admit an explicit expression and its calculation calls for 
design specific numerical enumeration which can be difficult when the number of nodes is large. 
Similarly, Ruj and Roy (2007) and Ruj et al. (2009) gave some bounds on the expected number 
of links that will be broken if a specified number of nodes are compromised in their schemes 
and reported associated simulation results, but did not study fail(s). Incidentally, their schemes 
have Pri = I, a feature shared also by our construction when the initial designs d*,...,d% are 
all taken as BIB designs with A = 1; cf. Example 4.1. However, as argued in Lee and Stinson 
(2008), a scheme with Pri = 1 will have poor connectivity in the event of node compromise as 
reflected in large fails(s) values. This is why we have focused on schemes with good values of 
Pr rather than attempting to have Pri = 1. 

To sum up, our method of construction is a broad spectrum one which supplements and 
improves upon the existing methods from various considerations. It is applicable to any inter- 
section threshold q > 1 and allows the construction of KPSs for widely diverse parameter values. 
The fact that it is supported by a detailed study of the performance metrics, including explicit 
formulae for Pr and fail(s), further enhances the scope of its application. 
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